Category Archives: GDPR

I blogged on Monday about the government Statement of Intent regarding the forthcoming Data Protection Bill. What I missed at the time was an accompanying release on the Department for Digital, Culture, Media and Sport (DCMS) website. Having now seen it, I realise why so many media outlets have been making a profoundly misleading statement about consent under the new data protection law: they have lifted it directly from DCMS. The statement is

The Data Protection Bill will require ‘explicit’ consent to be necessary for processing sensitive personal data

It should only take a second to realise how wrong this is: sensitive personal data will include information about, among other things, health, and criminal convictions. Is the government proposing, say, that, before passing on information about a critically injured patient to an A&E department, a paramedic will have to get the unconscious patient’s explicit consent? Is it proposing that before passing on information about a convicted sex offender to a local authority social care department the Disclosure and Barring Service will have to get the offender’s explicit consent?

Of course not – it’s absolute nonsense to think so, and the parliamentary drafters of the forthcoming Bill would not dream of writing the law in such a way, not least because it would contravene our obligations under the General Data Protection Regulation (GDPR) around which much of the Bill will be based. GDPR effectively mirrors the existing European Data Protection Directive (given effect in our existing Data Protection Act 1998). Under these laws, there are multiple circumstances under which personal data, and higher-category sensitive personal data can be processed. Consent is one of those. But there are, in Article 9(2) of GDPR, nine other conditions which permit the processing of special category data (the GDPR term used to replicate what is called “sensitive personal data” under existing domestic data protection law), and GDPR affords member states the power to legislate for further conditions.

What the DCMS release should say is that when consent is legitimately relied upon to process sensitive personal data the consent must be explicit. I know that sentence has got more words on it than the DCMS original, but that’s because sometimes a statement needs more words in order to be correct, and make sense, rather than mislead on a very important point regarding people’s fundamental rights.

I tweeted Matt Hancock, the minister, about the error, but with no answer as yet. I’ve also invited DCMS to correct it. The horse has already bolted though, as a Google news search for the offending phrase will show. The Information Commissioner’s Office has begun a series of pieces addressing GDPR myths, and I hope this is one they’ll talk about, but DCMS themselves should still issue a corrective, and soon.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Not so much a Statement of Intent, as a Statement of the Bleeding Obvious

The wait is not quite over. We don’t yet have a Data Protection Bill, but we do have a Statement of Intent from DCMS, explaining what the proposed legislation will contain. I though it would be helpful to do a short briefing note based on my very quick assessment of the Statement. So here it is

IT’S JUST AN ANNOUNCEMENT OF ALL THE THINGS THE UK WOULD HAVE TO IMPLEMENT ANYWAY UNDER EUROPEAN LAW

By which I mean, it proposes law changes which will be happening in May next year, when the General Data Protection Regulation becomes directly applicable, or changes made under our obligation to implement the Police and Crime Directive. In a little more detail, here are some things of passing interest, none of which is hugely unexpected.

As predicted by many, at page 8 it is announced that the UK will legislate to require parents to give consent to children’s access to information society services (i.e. online services) where the child is under 13 (rather than GDPR’s default 16). As the UK lobbied to give member states discretion on this, it is no surprise.

Exemptions from compliance with majority of data protection law when the processing is for the purposes of journalism will remain (page 19). The Statement says that the government

believe the existing exemptions set out in section 32 strike the right balance between privacy and freedom of expression

But of potential note is the suggestion that

The main difference will be to amend provisions relating to the ICO’s enforcement powers to strengthen the ICO’s ability to enforce the re-enacted section 32 exemptions effectively

Without further details it is impossible to know what will be proposed here, but any changes to the existing regime which might have the effect of decreasing the size of the media’s huge carve-out will no doubt be vigorously lobbied against.

There is confirmation (at pp17 and 18) that third parties (i.e. not just criminal justice bodies) will be able to access criminal conviction information. Again, this is not unexpected – the regime for criminal records checks for employers etc was unlikely to be removed.

The Statement proposes a new criminal offence of intentionally or recklessly re-identifying individuals from anonymised or pseudonymised data, something the Commons Science and Technology Committee has called for. Those who subsequently process such data will also be guilty of an offence. The details here will be interesting to see – as with most privacy-enhancing technology, in order for anonymisation to be robust it needs to stress-tested – such testing will not be effective if those undertaking do so at risk of committing an offence, so presumably the forthcoming Bill will provide for this.

I also note that the existing offence of unlawfully obtaining personal data will be widened to those who retain personal data against the wishes of the data controller, even where it was initially obtained lawfully. This will probably cover those situations where people gather or are sent personal data in error, and then refuse to return it.

There is one particular howler at page 21, which suggests the government doesn’t understand what privacy by design and privacy by default mean:

The Bill will also set out to reassure citizens by promoting the concept of “privacy by default and design”. This is achieved by giving citizens the right to know when their personal data has been released in contravention of the data protection safeguards, and also by offering them a clearer right of redress

Privacy by design/default is about embedding privacy protection throughout the lifecycle of a project or process etc., and has got nothing at all to do with notifying data subjects of breaches, and whether this is a drafting error in the Statement, or a fundamental misunderstanding, it is rather concerning that the government, which makes much of “innovation” (around which privacy by design should be emphasised), fails to get this right.

So that’s a whistle stop tour of the Statement, ignoring all the fluff about implementing things which are required under GDPR and the Directive. I’ll update this piece in due course, if anything else emerges from a closer reading.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

In rather shocking news I can reveal that Roy Flynn, 58, of Windsor Road, Wath-upon-Dearne, is potentially facing fines of more than £60 trillion, under the EU General Data Protection Regulation.

The regulations, which will become law next May, and will require consent for everything anyone does ever, leave data controllers liable for fines of €20 million every time they are breached.

Mr Flynn is known to be an active social media user, and a member of several local clubs, including the Wombwell Top Gear Appreciation Society, the Mexborough Real Ale Club and the Brampton Bierlow Fat Men on Expensive Bicycles Group. He regularly makes personal comments about people on web articles, posts Facebook updates about fellow members of these societies and repeatedly fails to use “blind copy” when sending group emails. It has also been reported that he uses an unencrypted Dell Inspiron laptop with anti-virus software that was last updated in August 2007.

Cyber security experts are now warning Mr Flynn that unless he downloads their GDPR White Paper and purchases their unique data discovery tool he will be liable for fines in excess of the total amount of money in the entire world. It is being suggested that this could cause significant disruption to his community activities.

However, when contacted by the author Mr Flynn would only comment “Bugger off you soft Southern weirdo”.

The Information Commissioner’s Office has said “we are aware of this incident and are making enquiries”. We expect to hear the outcome of these enquiries within the next decade.

ICO wants 200 more staff for GDPR , but its Board think there’s a risk it will instead be losing them

The General Data Protection Regulation (GDPR) is, without doubt, a major reconfiguring of European data protection law. And quite rightly, in the lead-up to its becoming fully applicable on 25 May next year, most organisations are considering how best they can comply with its obligations, and, where necessary, effecting changes to achieve that compliance. As altruistic as some organisations are, a major driver for most is the fear that, under GDPR, regulatory sanctions can be severe. Regulators (in the UK this is the Information Commissioner’s Office (ICO)) will retain powers to force organisations to do, or to stop, something (equivalent to an enforcement notice under our current Data Protection Act 1998 (DPA)), but they will also have the power to levy civil administrative fines of up to €20 million, or 4% of annual global turnover. Much media coverage has, understandably, if misleadingly, focused on these increased “fining” powers (the maximum monetary under the DPA is £500,000). I use the word “misleadingly”, because it is by no means clear that regulators will use the full fining powers available to them: GDPR provides regulators with many other options (see Article 58) and recital 129 in particular states that measures taken should be

appropriate, necessary and proportionate in view of ensuring compliance with this Regulation [emphasis added]

Commentators stressing the existence of these potentially huge administrative fines should be referred to these provisions of GDPR.

But in the UK, at least, another factor has to be born in mind, and that is the regulator’s capacity to effectively enforce the law. In March this year, the Information Commissioner herself, Elizabeth Denham, told the House of Lords EU Home Affairs Sub-Committee that with the advent of GDPR she was going to need more resource

With the coming of the General Data Protection Regulation we will have more responsibilities, we will have new enforcement powers. So we are putting in new measures to be able to address our new regulatory powers…We have given the government an estimate that we will need a further 200 people in order to be able to do the job.

Those who rather breathlessly reported this with headlines such as “watchdog to hire hundreds more staff” seem to have forgotten the old parental adage of “I want doesn’t always get”. For instance, I want a case of ’47 Cheval Blanc delivered to my door by January Jones, but I’m not planning a domestic change programme around the possibility.

In fact, the statement by Denham might fall into a category best described as “aspirational”, or even “pie in the sky”, when one notes that the ICO Management Board recently received an item on corporate risk, the minutes from which state that

Concern was expressed about the risk of losing staff as GDPR implementation came closer. There remained a risk that the ICO might lose staff in large numbers, but to-date the greater risk was felt to be that the ICO could lose people in particular roles who, because of their experience, were especially hard to replace.

The ICO has long been based in the rather upmarket North West town of Wilmslow (the detailed and parochial walking directions from the railway station to the office have always rather amused me). There is going to be a limited pool of quality candidates there, and ICO pays poorly: current vacancies show case officers being recruited at starting salary of £19,527, and I strongly suspect case officers are the sort of extra staff Denham is looking at.

If ICO is worried about GDPR being a risk to staff retention (no doubt on the basis that better staff will get poached by higher paying employers, keen to have people on board with relevant regulatory experience), and apparently can’t pay a competitive wage, how on earth is it going to retain (or replace) them, and then recruit 200 more, from those sleepy Wilmslow recruitment fairs?

I write this blogpost, I should stress, not in order to mock or criticise Denham’s aspirations – she is absolutely right to want more staff, and to highlight the fact to Westminster. Rather, I write it because I agree with her, and because, unless someone stumps up some significant funding, I fear that the major privacy benefits that GDPR should bring for individuals (and the major sanctions against organisations for serious non-compliance) will not be realised.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

I wrote recently about the change to the Information Commissioner’s Office (ICO) registration process, which enables domestic users of CCTV to notify the ICO of that fact, and pay the requisite fee of £35. I noted that this meant that

it is the ICO’s apparent view that if you use CCTV in your household and capture footage outside the boundaries of your property, you are required to register this fact publicly with them, and pay a £35 fee. The clear implication, in fact the clear corollary, is that failure to do so is a criminal offence.

I didn’t take issue with the correctness of the legal position, but I went on to say that

The logical conclusion…here is that anyone who takes video footage anywhere outside their home must register

I even asked the ICO, via Twitter, whether users of dashcams should also register, to which I got the reply

If using dashcam to process personal data for purposes not covered by domestic exemption then would need to comply with [the Data Protection Act 1998]

This subject was moved from the theoretical to the real today, with news that Norfolk Constabulary are encouraging drivers using dashcams to send them footage of “driving offences witnessed by members of the public”.

Following the analyses of the courts, and the ICO, as laid out here and in my previous post, such usage cannot avail itself of the exemption from notification for processing of personal data “only” for domestic purposes, so one must conclude that drivers targeted by Norfolk Constabulary should notify, and pay a £35 fee.

At this rate, the whole of the nation would eventually notify. Fortunately (or not) the General Data Protection Regulation becomes directly applicable from May next year. It will remove the requirement to give notification of processing. Those wishing, then, to avoid the opprobrium of being a common criminal have ten months to send their fee to the ICO. Others might question how likely it is that the full force of the law will discover their criminality, and prosecute, in that short time period.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

The Information Commissioner thinks that countless households operating CCTV systems need to register this, and pay a £35 fee for doing so. If they don’t, they might be committing a crime. The Commissioner is probably mostly correct, but it’s a bit more complex than that, for reasons I’ll explain in this post.

Back in 2014, to the surprise of no one who had thought about the issues, the Court of Justice of the European Union (CJEU) held that use of domestic CCTV to capture footage of identifiable individuals in public areas could not attract the exemption at Article 3(2) of the European data protection directive for processing of personal data

by a natural person in the course of a purely personal or household activity

Any use of CCTV, said the CJEU, for the protection of a house or its occupiers but which also captures people in a public space is thus subject to the remaining provisions of the directive:

the operation of a camera system, as a result of which a video recording of people is stored on a continuous recording device such as a hard disk drive, installed by an individual on his family home for the purposes of protecting the property, health and life of the home owners, but which also monitors a public space, does not amount to the processing of data in the course of a purely personal or household activity, for the purposes of that provision

As some commentators pointed out at the time, the effect of this ruling was potentially to place not just users of domestic CCTV systems under the ambit of data protection law, but also, say, car drivers using dashcams, cyclists using helmetcams, and many other people using image recording devices in public for anything but their own domestic purposes.

Under the directive, and the UK Data Protection Act 1998, any data controller processing personal data without an exemption (such as the one for purely personal or household activity) must register the fact with the relevant supervisory authority, which in the UK is the Information Commissioner’s Office (ICO). Failure to register in circumstances under which a data controller should register is a criminal offence punishable by a fine. There is a two-tier fee for making an entry in the ICO’s register, set at £35 for most data controllers, and £500 for larger ones.

For some time the ICO has advised corporate data controllers that if they use CCTV on their premises they will need to register:

But I recently noticed that the registration page itself had changed, and that there is now a separate button to register “household CCTV”

If one clicks that button one is taken to a page which informs that, indeed, a £35 fee is payable, and that the information provided will be published online

There is a link to the ICO’s overarching privacy notice [ed. you’re going to have to tighten that up for GDPR, guys] but the only part of that notice which talks about the registration process relates only to “businesses”

Continuing the household CCTV registration process, one then gets to the main screen, which requires that the responsible person in the household identify themselves as data controller, and give either their household or email address for publication

What this all means is that it is the ICO’s apparent view that if you use CCTV in your household and capture footage outside the boundaries of your property, you are required to register this fact publicly with them, and pay a £35 fee. The clear implication, in fact the clear corollary, is that failure to do so is a criminal offence.

(In passing, there is a problem here: the pages and the process miss the point that for the registration to be required, the footage needs to be capturing images of identifiable individuals, otherwise no personal data is being processed, and data protection law is simply not engaged. What if someone has installed a “nest cam” in a nearby wooded area? Is ICO saying they are committing a criminal offence if they fail to register this? Also, what if the footage does capture identifiable individuals outside the boundaries of a household, but the footage is only taken for household, rather than crime reduction purposes? The logical conclusion of the ICO pages here is that anyone who takes video footage anywhere outside their home must register, which contradicts their guidance elsewhere.)

What I find particularly surprising about all this is that, although fundamentally it is correct as a matter of law (following the Ryneš decision by the CJEU), I have seen no publicity from the ICO about this pretty enormous policy change. Imagine how many households potentially *should* register, and how many won’t? And, therefore, how many the ICO is implying are committing a criminal offence?

And one thing that is really puzzling me is why this change, now? The CJEU ruling was thirty months ago, and in another eleven months, European data protection law will change, removing – in the UK also – the requirement to register in these circumstances. If it was so important for the ICO to effect these changes before then, why keep it quiet?

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

On 24 June, as 48% of the UK was holding its head in its hands and wondering what the hell the other 52% had done, the Information Commissioner’s Office (ICO) issued a statement. It said

If the UK is not part of the EU, then upcoming EU reforms to data protection law would not apply directly to the UK. But if the UK wants to trade with the Single Market on equal terms we would have to prove ‘adequacy’ – in other words UK data protection standards would have to be equivalent to the EU’s General Data Protection Regulation framework starting in 2018.

Over the coming weeks we will be discussing with Government the implications of the referendum result and its impact on data protection reform in the UK.

With so many businesses and services operating across borders, international consistency around data protection laws and rights is crucial both to businesses and organisations and to consumers and citizens. The ICO’s role has always involved working closely with regulators in other countries, and that will continue to be the case.

Having clear laws with safeguards in place is more important than ever given the growing digital economy, and we will be speaking to government to present our view that reform of the UK law remains necessary.

One notes that references to adequacy, and equivalence with the General Data Protection Regulation, have disappeared. And one wonders why – does the ICO now think that a post-Brexit UK would not need to have equivalent standards to the GDPR? If so, that would certainly represent a bold position. In a response to a request for a comment an ICO spokesperson informed me that

We noted the debates about different options that emerged following the referendum result and we decided to move to a simpler statement to avoid being too closely associated to any one particular position

I’m grateful to them for this, and it is in itself very interesting. Privacy Laws and Business recently informed their news feed subscribers that the government is keen to hear from stakeholders their views on the future of the UK data protection regime, so maybe everything is up for grabs.

But a fundamental point remains: if the EU (and indeed the CJEU – see Schrems et al) currently has exacting data protection standards for external states to meet to secure trading rights, realistically could the UK adopt a GDPR-lite regime? It strikes me as a huge risk if we did. But then again, voting for Brexit struck me as a huge (and pointless) risk, and look what happened there.

Ultimately, I’m surprised and disappointed the ICO have resiled from their initial clear and sensible statement. I would have preferred that, rather than “noting the debates” about post-Brexit data protection, they actually directed and informed those debates.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

[Edited to add: it is well worth reading the comments to this piece, especially the ones from Chris Pounder and Reuben Binns]

I needed a way to break a blogging drought, and something that was flagged up to me by a data protection colleague (thanks Simon!) provides a good opportunity to do so. It suggests that the drafting of the GDPR could lead to an enormous workload for the ICO.

The General Data Protection Regulation (GDPR) which entered into force on 24 May this year, and which will apply across the European Union from 25 May 2018, mandates the completion of Data Protection Impact Assessments (DPIAs) where indicated. Article 35 of the GDPR explains that

Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data

In the UK (and indeed elsewhere) we already have the concept of “Privacy Impact Assessments“, and in many ways all that the GDPR does is embed this area of good practice as a legal obligation. However, it also contains some ancillary obligations, one of which is to consult the supervisory authority, in certain circumstances, prior to processing. And here is where I get a bit confused.

Article 36 provides that

The controller shall consult the supervisory authority prior to processing where a data protection impact assessment under Article 35 indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk[emphasis added]

A close reading of Article 36 results in this: if the data controller conducts a DPIA, and is of the view that if mitigating factors were not in place the processing would be high risk, it will have to consult supervisory authority (in the UK, the Information Commissioner’s Office (ICO)). This is odd: it effectively renders any mitigating measures irrelevant. And it appears directly to contradict what recital 84 says

Where a data-protection impact assessment indicates that processing operations involve a high risk which the controller cannot mitigate by appropriate measures in terms of available technology and costs of implementation, a consultation of the supervisory authority should take place prior to the processing [emphasis added]

So, the recital says the obligation to consult will arise where high risk is involved which the controller can’t mitigate, while the Article says the obligation will arise where high risk is involved notwithstanding any mitigation in place.

Clearly, the Article contains the specific legal obligation (the recital purports to set out the reason for the contents of the enacting terms), so the law will require data controllers in the UK to consult the ICO every time a DPIA identifies an inherently high risk processing activity, even if the data controller has measures in place fully to mitigate and contain the risk.

For example, let us imagine the following processing activity – collection of and storage of customer financial data for the purposes of fulfilling a web transaction. The controller might have robust data security measures in place, but Article 36 requires it to consider “what if those robust measures were not in place? would the processing be high risk?” To which the answer would have to be “yes” – because the customer data would be completely unprotected.

In fact, I would submit, if article 36 is given its plain meaning virtually any processing activity involving personal data, where there is an absence of mitigating measures, would be high risk, and create a duty to consult the ICO.

What this will mean in practice remains to be seen, but unless I am missing something (and I’d be delighted to be corrected if so), the GDPR is setting the ICO and other supervisory authorities up for a massive influx of work. With questions already raised about the ICO’s funding going forward, that is the last thing they are likely to need.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

The ICO’s plan for an “information rights levy” appears to have been scuppered by the government. But is retaining data protection notification fees the way to solve the funding problem?

Back in the heady days of January 2012, when a naive but optimistic European Commission proposed a General Data Protection Regulation (GDPR), to replace the existing 1995 Directive, one of the less-commented-on proposals was to remove the requirement for data controllers to notify their processing activities to the national data protection authority. However, the UK Information Commissioner’s Office (ICO) certainly noticed it, because the implications were that, at a stroke, a large amount of ICO funding would disappear. Currently, section 18(5) of the Data Protection Act 1998 (DPA), and accompanying secondary legislation, mean that data controllers (unless they have an exemption) must pay an annual fee to the ICO of either £35 or £500 (depending upon the size of the organisation). In 2012-2013 this equated to an estimated income of £17.4m, and this income effectively funds all of the ICO’s data protection regulatory actions (its FOI functions are funded by grant-in-aid from the Ministry of Justice).

Three years later, and the GDPR is still not with us. However, it will eventually be passed, and when it is, it seems certain that the requirement under European law to notify will be gone. Because of this, as the Justice Committee recognised in 2013, alternative ICO funding means need to be identified as soon as possible. The ICO’s preferred choice, and one which Christopher Graham has certainly been pushing for, was an “Information Rights Levy”, the details of which were not specified, but which it appears was proposed to be paid by data controllers and public authorities (subject to FOI) alike. In the 2013/14 ICO Annual Report Graham was bullish in calling for action:

Parliament needs to get on with the task of establishing a single, graduated information rights levy to fund the important work of the ICO as the effective upholder of our vital right to privacy and right to know

But this robust approach doesn’t seem to have worked. At a recent meeting of the ICO Management Board a much more pessimistic view emerges. In a report entitled “Registration Fee Strategy” it is said that

The ICO has previously highlighted the need for an ‘information rights fee’ or one fee, paid by organisations directly to the ICO, to fund all information rights activities. Given concerns across government that this would result in private sector cross subsidising public sector work, the ICO recognises that this is unlikely in the short term

The report goes on, therefore, to talk about proposed changes to the current fee/notification process, and about ways of identifying who needs to pay.

But, oddly, it seems to assume that although the GDPR will remove the requirement for a data controller to notify processing to the ICO, the UK will retain the discretion to continue with such arrangements (and to charge a fee). I’m not sure this is right. As I’ve written previously, under data protection law at least some recreational bloggers have a requirement to notify (and pay a fee), and the legal authorities are clear that the law’s ambit extends to, for instance, individuals operating domestic CCTV, if that CCTV covers public places where identifiable individuals are. Indeed, as the 2004 Lindqvist case found

The act of referring, on an internet page, to various persons and identifying them by name or by other means, for instance by giving their telephone number…constitutes the processing of personal data…[and] is not covered by any of the exceptionsin Article 3(2) of Directive 95/46 [section 36 of the DPA transposes Article 3(2) into domestic law]

It is arguable that, to varying extents, we are all data controllers now (and ones who will struggle to avail ourselves of the data protection exemption for domestic purposes). Levying a fee on all of us, in order that we can lawfully express ourselves, has the potential to be a serious infringement of our right to freedom of expression under Article 10 of the European Convention on Human Rights, and even more directly, Article 11 of the Charter of Fundamental Rights of the European Union.

The problem of how to effectively fund the ICO in a time of austerity is a challenging one, and I don’t envy those at the ICO and in government who are trying to solve it, but levying a tax on freedom of expression (which notification arguably already is, and would almost certainly be if the GDPR doesn’t actually require notification) is not the way to do so.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with..

Everyone knows the concept of ambulance chasers – personal injury lawyers who seek out victims of accidents or negligence to help/persuade the latter to make compensation claims. With today’s judgment in the Court of Appeal in the case of Vidal-Hall & Ors v Google [2015] EWCA Civ 311 one wonders if we will start to see data protection ambulance chasers, arriving at the scene of serious “data breaches” with their business cards.

This is because the Court has made a definitive ruling on the issue, discussed several times previously on this blog, of whether compensation can be claimed under the Data Protection Act 1998 (DPA) in circumstances where a data subject has suffered distress but no tangible, pecuniary damage. Section 13 of the DPA provides that

(1)An individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage.

(2)An individual who suffers distress by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that distress if—

(a)the individual also suffers damage by reason of the contravention

This differs from the wording of the European Data Protection Directive 95/46/ec, which, at Article 23(1) says

Member States shall provide that any person who has suffered damage as a result of an unlawful processing operation or of any act incompatible with the national provisions adopted pursuant to this Directive is entitled to receive compensation from the controller for the damage suffered

It can be seen that, in the domestic statutory scheme “distress” is distinct from “damage”, but in the Directive, there is just a single category of “damage”. The position until relatively recently, following Johnson v Medical Defence Union[2007] EWCA Civ 262, had been that it meant pecuniary damage, and this in turn meant, as Buxton LJ said in that case, that “section 13 distress damages are only available if damage in the sense of pecuniary loss has been suffered”. So, absent pecuniary damage, no compensation for distress was available (except in certain specific circumstances involving processing of personal data for journalistic, literary or artistic purposes). But, this, said Lord Dyson and Lady Justice Sharp, in a joint judgment, was wrong, and, in any case, they were not bound by Johnson because the relevant remarks in that case were infact obiter. In fact, they said, section 13(2) DPA was incompatible with Article 23 of the Directive:

What is required in order to make section 13(2) compatible with EU law is the disapplication of section 13(2), no more and no less. The consequence of this would be that compensation would be recoverable under section 13(1) for any damage suffered as a result of a contravention by a data controller of any of the requirements of the DPA

And this means a few things. It certainly means that it will be much easier for an aggrieved data subject to bring a claim for compensation against a data controller which has contravened its obligations under the DPA in circumstances where there is little, or no, tangible or pecuniary damage, but only distress. It also means that we may well start to see the rise of data protection ambulance chasers – the DPA may not give rise to massive settlements, but it is a relatively easy claim to make – a contravention is often effectively a matter of fact, or is found to be such by the Information Commissioner, or is conceded/admitted by the data controller – and there is the prospect of group litigation (in 2013 Islington Council settled claims brought jointly by fourteen claimants following disclosure of their personal data to unauthorised third parties – the settlement totalled £43,000).

I mentioned in that last paragraph that data controller sometimes concede or admit to contraventions of their obligations under the DPA. Indeed, they are expected to by the Information Commissioner, and the draft European General Data Protection Regulation proposes to make it mandatory to do so, and to inform data subjects. And this is where I wonder if we might see another effect of the Vidal-Hall case – if data controller know that by owning up to contraventions they may be exposing themselves to multiple legal claims for distress compensation, they (or their shareholders, or insurers) may start to question why they should do this. Breach notification may be seen as even more of a risky exercise than it is now.

There are other interesting aspects to the Vidal-Hall case – misuse of private information is, indeed, a tort, allowing service of the claims against Google outside jurisdiction, and there are profound issues regarding the definition of personal data which are undecided and, if they go to trial, will be extremely important – but the disapplying of section 13(2) DPA looks likely to have profound effects for data controllers, for data subjects, for lawyers and for the landscape of data protection litigation in this country.

The views in this post (and indeed all posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.